From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Emanuel Berg via Users list for the GNU Emacs text editor Newsgroups: gmane.emacs.help Subject: Re: Noob dumb question (extending emacs) Date: Thu, 28 Oct 2021 22:56:18 +0200 Message-ID: <8735okj2bx.fsf@zoho.eu> References: <86k0i6uoxd.fsf@duenenhof-wilhelm.de> <871r4ernmt.fsf@zoho.eu> <87o87hnrpt.fsf@zoho.eu> <87y26kkuag.fsf@web.de> <87zgr0t3vw.fsf@web.de> <87o87fy4t3.fsf@zoho.eu> <87ilxmsuqq.fsf@web.de> <87k0hxj37u.fsf@zoho.eu> <878rydbcm4.fsf@web.de> Reply-To: Emanuel Berg Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21582"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) To: help-gnu-emacs@gnu.org Cancel-Lock: sha1:PIdCBSYXyEqlSw5bOitRo7IJo0I= Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Thu Oct 28 22:57:10 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mgCSS-0005DZ-Vx for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 28 Oct 2021 22:57:08 +0200 Original-Received: from localhost ([::1]:38200 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mgCSR-00042p-DW for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 28 Oct 2021 16:57:07 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60426) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgCRr-00042Z-UN for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 16:56:33 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:49132) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgCRp-0001YA-SU for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 16:56:31 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mgCRm-00045O-FI for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 22:56:26 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: help-gnu-emacs@gnu.org Mail-Copies-To: never Received-SPF: pass client-ip=116.202.254.214; envelope-from=geh-help-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:134264 Archived-At: Michael Heerdegen wrote: >>> 48 ln(2) >>> l = -------- ~ 8.13. >>> ln(60) >>> >>> That would mean that already for a length of 9 only a small >>> fraction of passwords are computable. >> >> Okay, why do you say/how do you know that? > > Anything besides used entropy is deterministic. > > If you initialize the seed with a certain entropy, it means > that you randomly get one seed out of N possible (known) > seeds. In our case N = 2^31 (or something like that). > > To understand the reasoning behind the following it can help > to assume a small N, e.g. N=2, N=10 or N=100, and then think > about what fundamentally changes if N is larger (actually > nothing, you only need accordingly more tries to guess). > This is all quite trivial, only the large numbers involved > cloud a bit what is going on. > > Ok. Those possible seeds are known (computable) to everyone: > You start with a random seed out of a public list of > N seeds. > > With each of these seeds, `random' will generate one out of > N possible predefined sequences of numbers. With the > exception: If N is larger than the number of possible > different results of `random' (a finite number of course), > let's name it "M", then you must set N = M in the > following considerations. > > So if you use a publicly known deterministic algorithm using > `random', your algorithm will generate one out of N possible > publicly known password sequences for each call. > > Security of these passwords stands and falls with the size > of N: > > Say your algorithm calculates passwords using an alphabet > consisting of a number b of letters, e.g. b=60 for small and > capital letters plus some special characters. Then the > entropy used is enough to generate pseudo-random passwords > of a length l when b^l ~ N (where "~" means "is > approximately"). > > Why? If l is smaller, b^l < N, your algorithm would often > calculate the same password for different seeds, and you > would waste a portion of the initial randomness (entropy). > > If l is larger, b^l > N, the passwords per se are stronger > in theory but... that doesn't matter if you publish the > algorithm that computed the passwords (or one can guess that > algorithm). Then I still have to try only N passwords, not > more than when a smaller password length is used. One could > say that those longer passwords contain redundancy: a part > of those password strings is determined by the rest of the > password string and doesn't offer additional security. > > The situation would be similar to posting on your homepage: > > "Any of my accounts uses a password out of this list: > > { "nx4BgzrJmZq0+!YPp "%d~8bqv1j^rl51\6(9#/d[!D91_X_H/=`|&S]|SQ", > ":2A]sw=V;--q)RKLOIdoxd`9B+4#Q5[WY\8yFNl", > "?ljGuo\-;VF"9;F$MgU~uP|Ztk$!!9kxAsv~,Lv?", > ">%M\s=>!xHP9|EMEzR[&Wu&$,\]lS`fN1y:Bc!Ey", > "igbf^Hlcxyg,A0MBa>d:!,}{x"j%?Qi^,P "/iGww)fjE:*$:uv,$>)M=M?|UF2DZ4|>*Mx"&>(;!, > "EzIRpdH|;R^1iTAG'*P5LdoJ5sS_Y2kN#S:{S_a\", > "rLBtPlQ6Unml'5`+B*l^LA}8>/8C}=I)1(']Zqz+", > "Zt.J$fP<$zU)^AH} > Those are all very strong passwords, and the method I use > to choose one of them randomly is so clever and uses so > much entropy that it's impossible to guess it. > Try it, Mentalist!" > > But since all of those possible passwords are publicly known > the situation is not better than using a random password out > of {"0", "1",..., "9"}: not more secure than using random > passwords of length 1 (even less). > > Or using the formula mentioned, > > ln(N) ln(10) > ------ = -------- < 1. > ln(b) ln(60) I don't think I saw that, what does it say? I've seen the first one, this 48 bits, alphabet length n, password length l 2^48 = n^l <=> 48*ln(2) = l*ln(n) <=> l = 48*ln(2)/ln(n) which in Elisp is (defun epwgen-space-size-2 (bits abc-len) (/ (* bits (log 2)) (log abc-len) )) ;; (epwgen-space-size-2 48 60) ; 8.13 Are you saying, that it is saying, "with 48 bits passwords longer than 8.13 chars don't make it more secure"? -- underground experts united https://dataswamp.org/~incal